I saw this recently and I don't know if it's real or not since I can't easily test it right now. The initial report said any 3.2.x version, but the comments seem to require some specific conditions: "compiled with IDENT, logging to SYSLOG and DEBUG enabled." In any case, I don't know if this is something old and patched or a valid concern. I couldn't find any talk about it so I thought I'd ask.
In any case, here is the pastie to the C exploit source.
http://pastebin.com/6emNxZxs
I saw the initial report here
http://www.thehackernews.com/2011/07/0d ... emote.html
but now it's some other junk.
Title was: 0day UnrealIRCD 3.2.X all versions remote format string exploit ...
is format string vulnerability real?
Re: is format string vulnerability real?
Well, for starters, DEBUGMODE should never be enabled on a production server. As we say in include/config.h:
That's pretty clear I think 
Second, I don't know anyone who logs to syslog. Most likely because there's no documentation whatsoever about it, I had to read the source to know how to enable it.
I haven't had a chance to look into the claimed vulnerability yet, so I don't know if it goes beyond that.
However if it does require both of these, then I would say it's a non-issue, but it's worth investigating if that's the case, of course.
Code: Select all
* You should *NEVER* enable this setting on production servers.Second, I don't know anyone who logs to syslog. Most likely because there's no documentation whatsoever about it, I had to read the source to know how to enable it.
I haven't had a chance to look into the claimed vulnerability yet, so I don't know if it goes beyond that.
However if it does require both of these, then I would say it's a non-issue, but it's worth investigating if that's the case, of course.
Re: is format string vulnerability real?
Can't reproduce it, also tried numerous %s's and no crash, with debugmode & syslog enabled.
Looking at the code I also don't see any bug in this area.
Next time, if you or someone else wants to report a claimed vulnerability (even if it's in the wild), it would be better if you contact me directly at [email protected] (or [email protected]), or just use the bugtracker at http://bugs.unrealircd.org and mark it as 'private'.
I mean, if it would have been real, it would have been nice to give us some time to bring out a fixed release. Also, we don't check the forum every day, while with an email or bugtracker entry we get notified directly.
I do thank you for the report though, even if it turns out to be a fake like in this case, it's better to inform us
Looking at the code I also don't see any bug in this area.
Next time, if you or someone else wants to report a claimed vulnerability (even if it's in the wild), it would be better if you contact me directly at [email protected] (or [email protected]), or just use the bugtracker at http://bugs.unrealircd.org and mark it as 'private'.
I mean, if it would have been real, it would have been nice to give us some time to bring out a fixed release. Also, we don't check the forum every day, while with an email or bugtracker entry we get notified directly.
I do thank you for the report though, even if it turns out to be a fake like in this case, it's better to inform us
Re: is format string vulnerability real?
Thanks for looking into it. Next time (hoping there isn't one) I will go the bug tracker/private route.
Incidentally, no one should attempt to build and run the pastebin code. It was just for reference.
...and I say that because unless you fully understand every single line, the code itself may be a trojan.
I should have noted that in my first post, but I guess in my haste it slipped my mind, and now I can't edit that post.
Incidentally, no one should attempt to build and run the pastebin code. It was just for reference.
...and I say that because unless you fully understand every single line, the code itself may be a trojan.
I should have noted that in my first post, but I guess in my haste it slipped my mind, and now I can't edit that post.
Re: is format string vulnerability real?
Ah yes, I ran it on an isolated VM as non-root (changed ident ports in the code & unreal) for precisely that reason.
I wouldn't recommend anyone to just compile & run it as root
I wouldn't recommend anyone to just compile & run it as root